Initial changes

Author: root

.env.sample

@@ -0,0 +1,13 @@
+# Image
+POSTGRESQL_IMAGE=postgres:alpine
+REDIS_IMAGE=redis:latest
+GITLAB_IMAGE=gitlab/gitlab-ce:latest 
+
+# Volumes
+configs=./configs
+env_files=./env_files
+secrets=./secrets
+volumes=./volumes
+
+# GitLab External URL
+GTILAB_EXTERNAL_URL="https://gitlab.example.com"

.gitignore

@@ -0,0 +1,7 @@
+env_files/*.env
+secrets/*.txt
+volumes/*
+
+!volumes/.gitkeep
+
+.env

README.md

@@ -0,0 +1,52 @@
+# Gitlab docker-compose
+
+Description:
+This is supposed to be a gitlab docker-compose stack with the possibility of loadbalancing each component.
+You might have to read some gitlab-omnibus docs, in order to undersand how to loadbalance each service.
+
+<!--
+## Services
+
+There are mulitple services
+-->
+
+## Docs that helped me
+
+INFO: These are CE (Community Edition) docs, meaning they might differ from EE (Enterprise Edition) docs!
+
+* [Architecture](https://docs.gitlab.com/ce/development/architecture.html) <- lot's of links to configurations
+* [Architecture with 2k Users](https://docs.gitlab.com/ce/administration/reference_architectures/2k_users.html)
+* [Omnibus](https://docs.gitlab.com/omnibus/)
+* [Gitaly on it's own server](https://docs.gitlab.com/ce/administration/gitaly/#run-gitaly-on-its-own-server)
+* [Load Balancer Ports](https://docs.gitlab.com/ce/administration/load_balancer.html#ports)
+* [Nginx Supporting proxied SSL](https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl)
+
+## Configs
+
+Adjust by preferences, seperated by folders.
+
+## Env Files
+
+INFO: originals will not be pushed, but there are .sample files, rename them
+
+There are env files in multiple locations.
+In the root of this project there is a .env file.
+At env_files/ there are env files for each service.
+
+## Secrets
+
+INFO: will not be pushed
+
+In the secrets/ folder are all secrets,
+there should be following files in there:
+
+* gitlab_root_password.txt
+  * User: root
+* postgres_password.txt
+  * User: postgres
+* redis_password.txt
+  * User: [X]
+
+## Volumes
+
+INFO: will not be pushed

configs/gitaly/gitlab.rb

@@ -0,0 +1,48 @@
+# Gitaly and GitLab use two shared secrets for authentication, one to authenticate gRPC requests
+# to Gitaly, and a second for authentication callbacks from GitLab-Shell to the GitLab internal API.
+# The following two values must be the same as their respective values
+# of the GitLab Rails application setup
+gitaly['auth_token'] = File.read('/run/secrets/gitaly_auth_token')
+gitlab_shell['secret_token'] = File.read('/run/secrets/gitlab_shell_secret_token')
+
+# Avoid running unnecessary services on the Gitaly server
+postgresql['enable'] = false
+redis['enable'] = false
+nginx['enable'] = false
+puma['enable'] = false
+unicorn['enable'] = false
+sidekiq['enable'] = false
+gitlab_workhorse['enable'] = false
+grafana['enable'] = false
+
+# If you run a separate monitoring node you can disable these services
+alertmanager['enable'] = false
+prometheus['enable'] = false
+
+# Prevent database connections during 'gitlab-ctl reconfigure'
+gitlab_rails['rake_cache_clear'] = false
+gitlab_rails['auto_migrate'] = false
+
+# Configure the gitlab-shell API callback URL. Without this, `git push` will
+# fail. This can be your 'front door' GitLab URL or an internal load
+# balancer.
+# Don't forget to copy `/etc/gitlab/gitlab-secrets.json` from web server to Gitaly server.
+gitlab_rails['internal_api_url'] = 'http://rails'
+
+# Make Gitaly accept connections on all network interfaces. You must use
+# firewalls to restrict access to this address/port.
+# Comment out following line if you only want to support TLS connections
+gitaly['listen_addr'] = "0.0.0.0:8075"
+gitaly['prometheus_listen_addr'] = "0.0.0.0:9236"
+
+# Set the network addresses that the exporters used for monitoring will listen on
+node_exporter['listen_address'] = '0.0.0.0:9100'
+
+git_data_dirs({
+  'default' => {
+    'path' => '/var/opt/gitlab/git-data'
+  },
+  'storage1' => {
+    'path' => '/var/opt/gitlab/git-data1'
+  },
+})

configs/rails/gitlab.rb

@@ -0,0 +1,57 @@
+external_url ENV['EXTERNAL_URL']
+
+# Gitaly and GitLab use two shared secrets for authentication, one to authenticate gRPC requests
+# to Gitaly, and a second for authentication callbacks from GitLab-Shell to the GitLab internal API.
+# The following two values must be the same as their respective values
+# of the Gitaly setup
+gitlab_rails['gitaly_token'] = File.read('/run/secrets/gitaly_auth_token')
+gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password')
+gitlab_shell['secret_token'] = File.read('/run/secrets/gitlab_shell_secret_token')
+
+git_data_dirs({
+  'default' => { 'gitaly_address' => 'tcp://gitaly:8075' },
+})
+
+## Disable components that will not be on the GitLab application server
+roles ['application_role']
+gitaly['enable'] = false
+nginx['enable'] = true
+letsencrypt['enable'] = false
+
+## PostgreSQL connection details
+gitlab_rails['db_adapter'] = 'postgresql'
+gitlab_rails['db_encoding'] = 'unicode'
+gitlab_rails['db_host'] = 'postgres' # IP/hostname of database server
+gitlab_rails['db_password'] = File.read('/run/secrets/postgres_password')
+
+## Redis connection details
+gitlab_rails['redis_port'] = '6379'
+gitlab_rails['redis_host'] = 'redis' # IP/hostname of Redis server
+gitlab_rails['redis_password'] = File.read('/run/secrets/redis_password')
+
+# Set the network addresses that the exporters used for monitoring will listen on
+node_exporter['listen_address'] = '0.0.0.0:9100'
+gitlab_workhorse['prometheus_listen_addr'] = '0.0.0.0:9229'
+sidekiq['listen_address'] = "0.0.0.0"
+puma['listen'] = '0.0.0.0'
+
+# Add the monitoring node's IP address to the monitoring whitelist and allow it to
+# scrape the NGINX metrics. Replace placeholder `monitoring.gitlab.example.com` with
+# the address and/or subnets gathered from the monitoring node
+gitlab_rails['monitoring_whitelist'] = ['10.0.1.0/24', '127.0.0.0/8']
+nginx['status']['options']['allow'] = ['10.0.1.0/24', '127.0.0.0/8']
+
+## Uncomment and edit the following options if you have set up NFS
+##
+## Prevent GitLab from starting if NFS data mounts are not available
+##
+#high_availability['mountpoint'] = '/var/opt/gitlab/git-data'
+##
+## Ensure UIDs and GIDs match between servers for permissions via NFS
+##
+#user['uid'] = 9000
+#user['gid'] = 9000
+#web_server['uid'] = 9001
+#web_server['gid'] = 9001
+#registry['uid'] = 9002
+#registry['gid'] = 9002

docker-compose.yml

@@ -0,0 +1,103 @@
+version: "3.3"
+
+services:
+  # loadbalancer:
+  #   image: ${GITLAB_IMAGE}
+
+  postgresql:
+    image: ${POSTGRESQL_IMAGE}
+    restart: always
+    env_file:
+      - ${env_files}/postgresql.env
+    secrets:
+      - postgres_password
+    # volumes:
+    #   - ${volumes}/postgresql/var/lib/postgresql/data:/var/lib/postgresql/data
+    #   - ${volumes}/postgresql/etc/postgresql/postgresql.conf:/etc/postgresql/postgresql.conf
+
+  redis:
+    image: ${REDIS_IMAGE}
+    restart: always
+    command: sh -c redis-server --requirepass $$(cat /run/secrets/redis_password)
+    secrets:
+      - redis_password
+    # volumes:
+    #   - ${volumes}/redis/data:/data
+
+  rails:
+    image: ${GITLAB_IMAGE}
+    restart: always
+    env_file:
+      - ${env_files}/gitlab.env
+    secrets:
+      - gitaly_auth_token
+      - gitlab_root_password
+      - gitlab_shell_secret_token
+      - postgres_password
+      - redis_password
+    volumes:
+      - ${configs}/rails/gitlab.rb:/gitlab.rb
+      #
+      - ${volumes}/rails/etc/gitlab:/etc/gitlab
+      - ${volumes}/rails/var/log/gitlab:/var/log/gitlab
+      - ${volumes}/rails/var/opt/gitlab:/var/opt/gitlab
+    # ports:
+    #   - 88:80
+    labels:
+      - "traefik.enable=true"
+
+      # Web Interface
+      - "traefik.http.routers.http_gitlab.rule=Host(`${GTILAB_EXTERNAL_URL}`)"
+      - "traefik.http.routers.http_gitlab.entrypoints=web"
+      - "traefik.http.routers.http_gitlab.middlewares=defaultchain@file,redirectToHttps@file"
+
+      - "traefik.http.routers.https_gitlab.rule=Host(`${GTILAB_EXTERNAL_URL}`)"
+      - "traefik.http.routers.https_gitlab.entrypoints=websecure"
+      - "traefik.http.routers.https_gitlab.middlewares=defaultchain@file"
+      - "traefik.http.routers.https_gitlab.service=gitlab"
+      - "traefik.http.routers.https_gitlab.tls=true"
+      - "traefik.http.routers.https_gitlab.tls.certresolver=hetzner01"
+      - "traefik.http.routers.https_gitxlab.tls.domains[0].main=${GTILAB_EXTERNAL_URL}"
+      
+      - "traefik.http.services.gitlab.loadbalancer.server.port=80"
+      - "traefik.http.services.gitlab.loadbalancer.server.scheme=http"
+      - "traefik.http.services.gitlab.loadbalancer.healthcheck.interval=10s"
+      - "traefik.http.services.gitlab.loadbalancer.healthcheck.port=80"
+      - "traefik.http.services.gitlab.loadbalancer.healthcheck.scheme=http"
+      - "traefik.http.services.gitlab.loadbalancer.healthcheck.path=-/-/readiness"
+      - "traefik.http.services.gitlab.loadbalancer.sticky.cookie=true"
+
+  gitaly:
+    image: ${GITLAB_IMAGE}
+    restart: always
+    env_file:
+      - ${env_files}/gitlab.env
+    secrets:
+      - gitaly_auth_token
+      - gitlab_shell_secret_token
+    volumes:
+      - ${configs}/gitaly/gitlab.rb:/gitlab.rb
+      #
+      - ${volumes}/gitaly/etc/gitlab:/etc/gitlab
+      - ${volumes}/gitaly/var/log/gitlab:/var/log/gitlab
+      - ${volumes}/gitaly/var/opt/gitlab:/var/opt/gitlab
+
+secrets:
+  gitaly_auth_token:
+    file: ${secrets}/gitaly_auth_token.txt
+  gitlab_root_password:
+    file: ${secrets}/gitlab_root_password.txt
+  gitlab_shell_secret_token:
+    file: ${secrets}/gitlab_shell_secret_token.txt
+  postgres_password:
+    file: ${secrets}/postgres_password.txt
+  redis_password:
+    file: ${secrets}/redis_password.txt
+
+networks:
+  default:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.0.1.0/24

env_files/gitlab.env.sample

@@ -0,0 +1,3 @@
+GITLAB_OMNIBUS_CONFIG="from_file('/gitlab.rb')"
+
+EXTERNAL_URL=${GTILAB_EXTERNAL_URL}

env_files/postgresql.env.sample

@@ -0,0 +1,5 @@
+POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+
+# DO NOT CHANGE THOSE
+POSTGRES_USER=gitlab
+POSTGRES_DB=gitlabhq_production

secrets/gitaly_auth_token.txt.sample

@@ -0,0 +1 @@
+yourSecretKey

secrets/gitlab_root_password.txt.sample

@@ -0,0 +1 @@
+yourSecretKey